Internet Explorer 8's New Cross-Site Scripting Protection

As you probably know, Internet Explorer (IE) 8 is currently in beta testing. In addition to much-needed compatibility updates to Cascading Stylesheet (CSS) handling, the browser is gaining other new functionality. Probably one of the most important improvements in IE 8 is its defense against cross-site scripting (XSS) attacks.

XSS is one of the most common security problems encountered in web applications, and there are many ways to perpetrate such an attack. If you take a quick look at the XSS Cheat Sheet over at ha.ckers.org (at the URL below) you'll see dozens of examples, any of which could possibly inject such an attack into a web browser depending on the browser version. The attacks vary from putting script tags where they might not normally be expected, to obfuscating characters using various encoding, to appending scripts to URLs, and much more. http://ha.ckers.org/xss.html

IE has contained XSS protection in some fashion since about 2002, and when IE 8 is released we'll see a much stronger XSS filtering system. The new filtering system considerably reduces the potential attack surface. Microsoft is achieving that by building a signature-based detection system. Regular expressions (regex) will be used to identify potential attacks. If potential attacks are detected, then additional regular expressions might be generated for use in detecting further potential attacks that might stem from variations in the web platform code pre-processing. For example, IIS might handle encoded characters differently than Apache or LiteSpeed web servers.

All the XSS filtering will take place inside IE's rendering engine, which Microsoft says is the best place for the filtering to occur in terms of performance. When attacks are detected, IE will refuse to execute the related script code and alert the user that an attack has been blocked. From an administrator's standpoint, you can enable or disable the XSS filter for each of IE's security zones using Group Policy.

Many security administrators feel that IE's approach to security is still a bit too broad. Sure, you have four security zones in which to control sites, which is very helpful. But that control isn't granular enough in some cases. For example, with Firefox you can install the NoScript add-on (available at the first URL below) and totally control JavaScript execution on a site-by-site basis and on-the-fly with a simple right-click context menu that can be adjusted in a matter of a couple of seconds. Accomplishing the same thing in IE is a rather tedious multi-click task. It'd be extremely helpful to see something like NoScript (and Flashblock, for that matter--at the second URL below) built into IE. http://noscript.net/https://addons.mozilla.org/en-US/firefox/addon/433